The HeartBeat APT Campaign - Trend Micro Incorporated Research Paper 2012 - Roland Dela Paz
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Trend Micro Incorporated
Research Paper
2012
The HeartBeat APT
Campaign
Roland Dela Paz
Contents
About This Paper................................................................................................................................... 1
Introduction............................................................................................................................................ 1
Campaign Targets................................................................................................................................. 2
Context.................................................................................................................................................... 2
Attack Vector......................................................................................................................................... 3
Infection Flow........................................................................................................................................4
The RAT Component............................................................................................................................ 5
Backdoor Functionalities............................................................................................................. 5
Installation and Persistence........................................................................................................ 5
C&C Communication..................................................................................................................... 6
Command and Control.........................................................................................................................8
HeartBeat Campaign Codes and Decoy Documents....................................................................8
Relationships among C&C Domains, IPs, and Campaigns........................................................... 9
Attribution.............................................................................................................................................10
Conclusion.............................................................................................................................................10
Timeline..................................................................................................................................................10
Defending against the HeartBeat Campaign.................................................................................11
Trend Micro Threat Protection Against The HeartBeat Campaign Components.................12
PAGE ii | THE HEARTBEAT APT CAMPAIGN
About This Paper Introduction
This paper exposes a targeted attack called “HeartBeat,” Today’s cybercriminals try to infect as many users as
which has been persistently pursuing the South Korean possible. Their goal is simple—to monetize the resources or
government and related organizations since 2009. This data from infected machines in any way they can. Behind
paper will discuss how their specifically crafted campaigns such attacks are highly covert targeted campaigns known
infiltrate their targets. as APTs.
Compared to most advanced persistent threat (APT) While targeted campaigns continue to increase, research
campaigns with diverse targeted industries, the HeartBeat efforts by the security industry reveal that some of these
campaign is an isolated case. Furthermore, we will examine attacks have existed for several years.1 Depending on the
their attack methodologies which include their attack motive, APT campaigns may attack various industries,
vector, the remote administration tool (RAT) component, organizations or communities from different regions and
and command-and-control servers. Finally, we will discuss countries. For instance, the Luckycat campaign targeted
how this information can be useful in developing defensive the aerospace, energy, engineering, shipping, and military
strategies in protecting organizations as well as predicting research industries in India and Japan.2 Additionally,
future targets. they targeted the Tibetan activists’ community. The
IXESHE campaign, on the other hand, targeted East Asian
governments, Taiwanese electronics manufacturers,
and a telecommunications company.3 While most of
these campaigns have multiple targets, smaller, more
subtle campaigns with exceedingly specific targets are
also present. The Taidoor campaign is an example of
this, where all of the compromise victims were from
Taiwan, and the majority of which were government
organizations.4
This research paper will delve into a targeted campaign
that targets organizations and communities within South
Korea. We call this malicious operation the “HeartBeat
campaign.”
1 http://www.trendmicro.com/cloud-content/us/pdfs/security-
intelligence/white-papers/wp_dissecting-lurid-apt.pdf
2 http://www.trendmicro.com/cloud-content/us/pdfs/security-
intelligence/white-papers/wp_luckycat_redux.pdf
3 http://www.trendmicro.com/cloud-content/us/pdfs/security-
intelligence/white-papers/wp_ixeshe.pdf
4 http://www.trendmicro.com/cloud-content/us/pdfs/security-
intelligence/white-papers/wp_the_taidoor_campaign.pdf
PAGE 1 | THE HEARTBEAT APT CAMPAIGN
Campaign Targets Context
The HeartBeat campaign appears to target government The first HeartBeat campaign remote access tool (RAT)5
organizations and institutions or communities that are component was discovered in June 2012 in a Korean
in some way related to the South Korean government. newspaper company network. Further investigation
Specifically, we were able to identify the following targets: revealed that the campaign has been actively distributing
their RAT component to their targets in 2011 and the first
• Political parties half of 2012. Furthermore, we uncovered one malware
component that dates back to November 2009. This
• Media outfits indicates that the campaign started during that time or
earlier.
• A national policy research institute
Earlier versions of the HeartBeat campaign’s RAT
• A military branch of South Korean armed forces component contained the following strings in their codes:
• A small business sector organization Thus, the campaign name “HeartBeat.”
• Branches of South Korean government
The profile of their targets suggests that the motive
behind the campaign may be politically motivated.
Figure 1. Code used in the HeartBeat campaign’s RAT component
5 http://en.wikipedia.org/wiki/Remote_administration_software
PAGE 2 | THE HEARTBEAT APT CAMPAIGNAttack Vector Based on the samples we collected, the campaign’s decoy
documents used the file formats .JPG, .PDF, XLS, and HWP,
the Korean government standard word processor format.
One of the previous HeartBeat attacks even dropped a
In order to gain control over targets systems, HeartBeat pornographic .JPG image as decoy. Below is a screenshot
perpetrators install a RAT in prospective victims’ systems. of a Hangul Word Processor (.HWP) document used as bait
This RAT arrives as a disguised or fake document which in November 2011. Its document title roughly translates to
is actually a bundled file. The bundled file contains both “Information to the President.hwp.”
a decoy document and the RAT installer that has been
packaged together using a binder tool. Once it runs, the
decoy document is displayed to the user while the RAT
unknowingly executes in the background.
It is unclear how these packaged files specifically arrive on
victims’ systems, but we highly suspect that spearphishing
emails6 containing these packaged malware were primarily
used to distribute them. In fact, the packaged malware
used the icon of the decoy document in order to look
legitimate. For instance, if the decoy is an XLS file, the
package will appear to have an XLS document icon. In
addition, some of the decoy files required passwords in
order to be viewed.
Figure 3. A decoy .HWP document
Figure 2. Example of a decoy Adobe Reader document
The previously mentioned techniques are commonly used
in spearphishing attacks where prospective victims are
lured to open a seemingly benign document attachment.
In order to appear more legitimate, some of these emails
contain password protected documents. A password is
then provided in the email body as a social engineering
technique.
6 http://blog.trendmicro.com/taiwan-spear-phishers-target-gmail-users/
PAGE 3 | THE HEARTBEAT APT CAMPAIGNInfection Flow
Once users open the packaged malicious file, the actual document is displayed to the user while a RAT installer in
.EXE format runs in the background. The RAT installer, on the other hand, drops a .DLL file that is then injected to the
legitimate process svchost.exe. The injected code in svchost.exe then connects to the malware command and control
(C&C) server to register infection and wait for remote commands.
Figure 4. Infection diagram for the HeartBeat campaign
TREND MICRO INCORPORATED TREND MICRO INC.
Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cloud security 10101 N. De Anza Blvd.
leader, creates a world safe for exchanging digital information with its In- Cupertino, CA 95014
ternet content security and threat management solutions for businesses
and consumers. A pioneer in server security with over U.S. toll free: 1 +800.228.5651
20 years’ experience, we deliver top-ranked client, server and cloud- Phone: 1 +408.257.1500
based security that fits our customers’ and partners’ needs, stops Fax: 1 +408.257.2003
new threats faster, and protects data in physical, virtualized and cloud www.trendmicro.com
environments. Powered by the industry-leading Trend Micro™ Smart Pro-
tection Network™ cloud computing security infrastructure, our products
and services stop threats where they emerge—from the Internet. They are
supported by 1,000+ threat intelligence experts around the globe.
©2012 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company
names may be trademarks or registered trademarks of their owners.
PAGE 4 | THE HEARTBEAT APT CAMPAIGNThe RAT Component The RAT installer in turn drops a .DLL component which
contains the backdoor capabilities. In order to stay hidden,
the .DLL uses file names similar to legitimate applications.
Below is a list of file names used:
Backdoor Functionalities • %Program Files%\Common Files\Services\6to4nt.dll
The HeartBeat campaign’s RAT component allows • %Program Files%\Common Files\System\6to4nt.dll
attackers to remotely execute the following commands on
affected hosts: • %Program Files%\Windows NT\Accessories\6to4nt.dll
• List running processes and their respective process • %Program Files%\Windows NT\htrn.dll
IDs
• %Program Files%\Windows NT\htrn_jls.dll
• Download and execute file(s)
• %Program Files%\Windows NT\hyper.dll
• Update itself
• %System%\Network Remote.dll
• Uninstall itself
• %System%\SvcHost.dll
• Create or terminate a process
Some these dropped .DLL files use fake file properties
• List available removable and fixed drives in order to not appear suspicious. The following is an
example:
• List existing files and their creation date/time
• Upload file(s)
• Delete file(s)
• Get the file creation date/time of a specific file
• Open a remote command shell access
• Reboot the system
These commands give the attackers complete control over
their victims’ systems. Attackers also have the option to
uninstall the RAT any time to cover their tracks and avoid
being discovered.
Installation and Persistence
The RAT installer is initially dropped and executed by the
packaged file using any of the following file names:
• %System%\msrt.exe
• %Program Files%\Common Files\AcroRd32.exe
• %Program Files%\Common Files\config.exe
Figure 5. A.DLL that uses fake file properties
• %Program Files%\Common Files\explorer.exe
PAGE 5 | THE HEARTBEAT APT CAMPAIGNIn some cases, the RAT installer drops 2 .DLL files where C&C Communication
one of the .DLLs serves as a loader of the other .DLL file
which contains the backdoor payload.
Once the RAT’s .DLL component has been injected to
The .DLL component is then registered as a service svchost.exe, the malware attempts to register itself to the
through the following added registries: C&C server by sending the following information from the
affected system:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{service name} • Computer name
Type = “20”
Start = “2” • Local IP address
ErrorControl = “1”
ImagePath = “%SystemRoot%\System32\svchost.exe • Service pack
-k netsvcs”
ObjectName = “LocalSystem”
These data are sent along with a campaign code and the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ string “qawsed”. While the “qawsed” string is not present
Services\{service name}\Parameters in earlier versions of their RAT, we suspect that the
ServiceDll = C:\Program Files\Windows NT\htrn. attackers only recently added this as a default campaign
dll password.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{service name}\Security The RAT’s C&C communication is encrypted with XOR
Security = {values} encryption using a single byte key, 02H. Furthermore, the
data being transferred and received by the RAT C&C are
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{service name}\Enum 800H (2,048 bytes) in size.
0 = “Root\LEGACY_{service name}\0000”
Count = “1”
NextInstance = “1”
*{service name} may be “6to4”, “Ias” or
“Irmon”.
The service is then invoked once installed. This results
in the .DLL being injected to svchost.exe process. This
registry modification allows the RAT to execute upon every
system startup.
After installation the RAT installer deletes itself, which
leaves only the disguised .DLL and related registry entries
on the affected system.
Note that the presence of any of the files or registries
above may be an indication of a possible HeartBeat
infection in a system.
Figure 6. RAT’s encryption algorithm before sending data to its
C&C server
PAGE 6 | THE HEARTBEAT APT CAMPAIGNFigure 7. RAT’s decryption code upon receiving data from the C&C server
During the RAT’s phone home, the following TCP traffic is observed on the network:
When decrypted, the above traffic looks as follows:
The majority of the RAT variants used port 80. Recent Earlier RAT variants did not use encryption on their C&C
variants, however, were observed to use port 443. Other communication. Moreover, they only sent the computer
ports we have seen being utilized are port 5600 and port name and campaign code during phone home. Below is a
8080. screenshot of the unencrypted C&C communication.
PAGE 7 | THE HEARTBEAT APT CAMPAIGNThe C&C traffic size also varied in previous versions. Some
early variants used traffic that are 28H (40 bytes) and
HeartBeat Campaign Codes and Decoy
1004H (4,100 bytes) in size. Documents
Additionally, the port, C&C address, campaign code and
password are hardcoded in the RAT’s malware body
in plain text. In some RAT versions, however, they are The campaign codes and decoy documents used by the
encrypted and are decrypted only during run-time, HeartBeat attackers provided valuable insights on their
possibly to protect the RAT from static analysis by security campaigns. In fact, majority of their campaign codes
researchers. included number combinations which represented the
month and date in MMDD format when the attack attempt
These variations in their RAT component indicate that it was executed. The rest of the campaign code string
has since been undergoing development. often describes the decoy document that was used in a
specific campaign. For instance, a campaign code from
October 2011 is “army-1022” where attackers used a decoy
Command and Control document containing military-related information.
Campaign code Password
The HeartBeat campaign’s C&C domains appear to utilize 1119HWP None
a site redirection service. Their C&C sites redirect to IP kris0315 None
addresses from ISPs in Armenia, USA, Japan, India and PDF-0417 None
Korea. We observed that they updated the IP address
gh-0525 None
of some of their C&C domains. Likewise, all of their IP
addresses belong to legitimate ISPs. Considering this, 0909-jpg qawsed
we suspect that these IP addresses are compromised 0916 qawsed
hosts that act as proxy servers which redirects traffic to jpg-jf-0925 qawsed
the actual C&C servers. Again, this adds another layer of army-1022 qawsed
anonymity to the HeartBeat perpetrators.
1103-ghui qawsed
1113-minzhu qawsed
Domain IP Address
ajh7884@han qawsed
ahnlab.myfw.us XXX.XXX.217.123 /XXX.XX.121.84
001 qawsed
kissyou01.myfw.us XX.XXX.203.122 / XX.XXX.20.103
0305-ziyoudang qawsed
kita.myfw.us XXX.XXX.217.123 / XXX.XX.121.84
0326-xuehui qawsed
login.sbs.com.PassAs.us XXX.XXX.178.50
0328-junf qawsed
mail2.myfw.us XX.XXX.15.63 / XXX.XXX.198.93
0329-mnd qawsed
park007.myfw.us unknown
1q2w3e4r None
snrp.UglyAs.com XXX.XXX.169.45
0520-tiegang qawsed
www.banking.com.PassAs.us XXX.XXX.178.50
guohui-0604 qawsed
www.huyang.go.kr.PassAs.us XXX.XXX.217.123 / XX.XXX.136.115
www.kinu.or.kr.rr.nu XXX.XXX.178.50 Table 2. Campaign codes used
www.kndu.ac.kr.myfw.us XXX.XXX.4.180
young03.myfw.us XX.XXX.203.122 On the other hand, decoy documents’ contents were
also very specific to their targets. For example, some of
Table 1. List of HeartBeat C&Cs these documents included logos of specific groups. This
information helped us identify their targeted organizations
and communities in their previous campaigns.
PAGE 8 | THE HEARTBEAT APT CAMPAIGNRelationships among C&C Domains, IPs, and Campaigns
Figure 7. Relationships between HeartBeat attack components
PAGE 9 | THE HEARTBEAT APT CAMPAIGNAttribution Understanding targeted campaigns and their
methodologies is fundamental in protecting both end
users and organizations. Not only does it help in coming
up with effective defensive strategies through multiple
Clues relating to the attackers remain very limited. Using protection layers, it also helps with predicting possible
compromised hosts as C&C proxy servers minimizes the targets in the future and ultimately, raise awareness. As
possibility of tracking potential threat actors. While a of this writing, the HeartBeat APT campaign remains an
number of their campaign codes included Chinese words active targeted campaign.
such as guohui, xuehui and minzhu, they appear to be
comfortable using the English language. Some of the C&C Timeline
domain names even contained English words. In addition,
the binder tool and the RAT component are written
in English. For instance, some text from the packaged
components’ body included “Select Files!” and “Bind We collected 19 set of samples related to HeartBeat
Success!”, while the RAT component included strings campaign from November 2009 to June 2012. This
such as “Uninstall…ok” and the name of the RAT itself, translates to 19 campaigns where the vast majority
“HeartBeat.” of which were distributed between 2011 and 2012.
Nonetheless, the limited number of samples we were
Threat actors and entities that use collected information able to obtain still means that the campaign is indeed
from targets may be two separate parties that are only persistent. The isolated nature of this targeted attack
related in a professional and malicious manner. In this and its small user base may only require the HeartBeat
case, determining the latter may be impossible. Likewise, perpetrators to carry out minimal campaigns in order to
it is very difficult to identify the threat actors behind infiltrate their targets.
the HeartBeat campaign given the limited amount of
information available.
Campaign Compile
Date MD5 (.DLL component) Date
Conclusion (MM/DD/YY) (MM/DD/YY)
11/19/09 7c6b44d8d87898e7e5deeeb1961b5ae6 9/17/2009
03/15/11 fcf42cadb3a932989c8e2b29cef68861 12/24/2010
04/17/11 aab129ffd3bf5ceeae2e0f332217bebc 3/18/2011
The Heartbeat campaign has been successfully executing
05/25/11 86547d674e7c7da55e8cae359819832f 5/6/2011
targeted attacks since 2009. In order for attackers to
properly track their campaigns and victims, they used 09/09/111 f947e63b14853a69b8ed2648869b5e10 7/25/2011
campaign codes that contained the campaign dates and 09/16/11 7f1a633384ec97fae9d95d1df9e1135a 7/25/2011
strings that described specific campaigns. These campaign 09/25/11 8816c5be1305488019769c81259dad2a 9/21/2011
codes are embedded in their RAT binaries and were sent 10/22/11 874025a66c2b9d9831c03d1bc114876a 10/17/2011
to their C&C servers along with information regarding the
11/03/11 4046dec1aa0eebb01fe7469184a95398 10/31/2011
targets’ system. Additionally, they used a commercial site
redirection service for their C&C domains. These domains 11/13/11 ba370b17dc9eb1d1e1c3187f0768064f 10/31/2011
redirected to various IP addresses that belonged to 12/2011 51274cefb01cee981a09db83c984213d 11/28/2011
legitimate ISPs, which may be compromised hosts that act 02/2012 d1a2253361045f91ed1902e9ffe2cec3 7/18/2011
as proxy servers. This effectively hides the real location of 03/05/12 20bb652e1d2679ed230102aa9676eca0 3/1/2012
the attackers behind HeartBeat. While having an isolated
03/26/12 c5c0fea23138cddab96fe22b657f9132 3/8/2012
target may have helped them stay under the security
industry’s radar, the attackers illustrated that they were 03/28/12 ef2bc66ea69327d11d1859af26f5aef9 3/8/2012
very careful but persistent. 03/29/12 8e50af054d2c0b45c88082d53c4fc423 3/8/2012
04/2012 b1e47ecd68c1c151866cec275716aa67 4/18/2012
05/20/12 6d205e78fb7730066c116b0c2dffa398 5/2/2012
06/04/12 5ec175512ba3c6e78597af48bbe6ca60 5/2/2012
Table 3. Specific dates of HeartBeat campaigns
PAGE 10 | THE HEARTBEAT APT CAMPAIGNWe did not obtain a campaign sample from 2010. However, that contain file attachments using extensions such as
we highly suspect that their operation was also active .VBS, .BAT, .EXE, .PIF and .SCR files.
during that year. In fact, we can see in the second MD5
above that the sample was compiled in December 24, 2010. • Avoid opening email attachments and clicking
Also, it is possible that some of the campaign’s attacks embedded links from unknown sources
may not have been escalated to antivirus firms by infected
users, or simply remains undiscovered. • Block any file with more than one file type extension.
• When a computer is compromised, isolate it
Defending against the HeartBeat immediately from the network.
Campaign
• Configure your system to show hidden files and folders
and display file extensions.
Essential components of defense against the HeartBeat • Don’t save login credentials on the local computer.
campaign are security-related policies within enterprises.
Once an attack is identified, a good cleanup strategy
should focus on determining the attack vector and cutting
off communications with the C&C server. It is also vital to
determine the scope of the compromise and assessing the
damage through data analysis and forensics.
The following best practices are also advised:
• Disable services that are related to the HeartBeat RAT
component.
• Enable system’s firewall
• Keep software and operating systems updated
with latest patches released by vendors to address
vulnerabilities and exploits.
• Block unused ports to disallow malware from
using these ports to communicate and/or enforce
commands.
• Monitor network connections for any suspicious
connection or connectivity.
• Regularly update list of sites that are trusted.
• Configure your email server to block or remove email
PAGE 11 | THE HEARTBEAT APT CAMPAIGNTrend Micro Threat Protection Against The HeartBeat Campaign Components
The following table summarizes the Trend Micro solutions for the components of the HeartBeat campaign. Trend Micro
recommends a comprehensive security risk management strategy that goes further than advanced protection to meet
the real-time threat management requirements of dealing with targeted attacks.
Attack Component Protection Technology Trend Micro Solution
HeartBeat TCP communication is blocked in the Web Reputation Endpoint (Titanium, Worry-Free Business
network layer as TCP_HBEAT_REQUEST Security, OfficeScan)
Server (Deep Security)
Messaging (InterScan Messaging Security,
ScanMail Suite for Microsoft Exchange)
Network (Deep Discovery)
Gateway (InterScan Web Security, InterScan
Messaging Security)
Mobile (Mobile Security)
TROJ_DRPBEAT and BKDR_HBEAT variants File Reputation Endpoint (Titanium, Worry-Free Business
(Antivirus/Anti-malware) Security, OfficeScan)
Server (Deep Security)
Messaging (InterScan Messaging Security,
ScanMail Suite for Microsoft Exchange)
Network (Deep Discovery)
Gateway (InterScan Web Security, InterScan
Messaging Security)
Mobile (Mobile Security)
XXX.XXX.217.123 Web, Domain, and IP Reputation Endpoint (Titanium, Worry-Free Business
XXX.XX.121.84 Security, OfficeScan)
XX.XXX.203.122 Server (Deep Security)
XX.XXX.20.103 Messaging (InterScan Messaging Security,
XXX.XXX.217.123 ScanMail Suite for Microsoft Exchange)
XXX.XX.121.84 Network (Deep Discovery)
XXX.XXX.178.50 Gateway (InterScan Web Security, InterScan
XX.XXX.15.63 Messaging Security)
XXX.XXX.198.93 Mobile (Mobile Security)
XXX.XXX.169.45
XXX.XXX.178.50
XXX.XXX.217.123
XX.XXX.136.115
XXX.XXX.178.50
XXX.XXX.4.180
XX.XXX.203.122
ahnlab.myfw.us
kissyou01.myfw.us
kita.myfw.us
login.sbs.com.PassAs.us
mail2.myfw.us
park007.myfw.us
snrp.UglyAs.com
www.banking.com.PassAs.us
www.huyang.go.kr.PassAs.us
www.kinu.or.kr.rr.nu
www.kndu.ac.kr.myfw.us
young03.myfw.us
PAGE 12 | THE HEARTBEAT APT CAMPAIGNDecember 2012 | APT Campaign Quick Profile: HEARTBEAT
Advanced persistent threats (APTs) refer to a category of threats that aggressively pursue and compromise specific
targets to maintain persistent presence within the victim’s network so they can move laterally and exfiltrate data.
Unlike indiscriminate cybercrime attacks, spam, web threats, and the like, APTs are much harder to detect because
of the targeted nature of related components and techniques. Also, while cybercrime focuses on stealing credit card
and banking information to gain profit, APTs are better thought of as cyber espionage.
HEARTBEAT
• First Seen
Individual targeted attacks are not one-off attempts. Attackers continually try to get inside the target’s network.
The “HeartBeat” campaign has been persistently pursuing government agencies since 2009. The samples collected related to this campaign covered
attacks seen from November 2009 to June 2012, although majority of the attacks were seen in 2011 and 2012.
• Victims and Targets
APT campaigns target specific industries or communities of interest in specific regions.
The HeartBeat campaign targets South Korean government organizations and institutions like political parties, media outfits, a national policy
research institute, a military branch of South Korean armed forces, a small business sector organization, and branches of the South Korean
government.
• Operations
The 1st-stage computer intrusions often use social engineering. Attackers custom-fit attacks to their targets.
The threat actors behind HeartBeat install a RAT in system. The RAT arrives as a disguised or fake document which is actually a bundled file. The
bundled file contains both a decoy document and the RAT installer that has been packaged together using a binder tool. The campaign’s decoy
documents used the file formats .JPG, .PDF, XLS, and HWP, the Korean government standard word processor format.
• Possible Indicators of Compromise
Attackers want to remain undetected as long as possible. A key characteristic of these attacks is stealth.
The following indicators suggest an infection by the HeartBeat campaign: contiguous 02H bytes communication in the network, the presence of
certain files and registries as detailed in the paper, and network connections to certain IPs and domains, including the presence of files detected as
TROJ_DRPBEAT and BKDR_HBEAT.
• Relationship with other APT Campaigns
This attack does not seem to have any relationship with other APT campaigns.
PAGE 13 | THE HEARTBEAT APT CAMPAIGNTREND MICRO INCORPORATED TREND MICRO INC. Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cloud security 10101 N. De Anza Blvd. leader, creates a world safe for exchanging digital information with its In- Cupertino, CA 95014 ternet content security and threat management solutions for businesses and consumers. A pioneer in server security with over U.S. toll free: 1 +800.228.5651 20 years’ experience, we deliver top-ranked client, server and cloud- Phone: 1 +408.257.1500 based security that fits our customers’ and partners’ needs, stops Fax: 1 +408.257.2003 new threats faster, and protects data in physical, virtualized and cloud www.trendmicro.com environments. Powered by the industry-leading Trend Micro™ Smart Pro- tection Network™ cloud computing security infrastructure, our products and services stop threats where they emerge—from the Internet. They are supported by 1,000+ threat intelligence experts around the globe. ©2012 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. PAGE 14 | THE HEARTBEAT APT CAMPAIGN
You can also read
